From 29756d48c657dc0b5b4a92d651f5f624ca416df5 Mon Sep 17 00:00:00 2001 From: Lubos Racansky Date: Mon, 4 Sep 2023 07:29:58 +0200 Subject: [PATCH 01/15] Fix #522: Set release version to 1.6.0-SNAPSHOT --- pom.xml | 2 +- powerauth-java-crypto/pom.xml | 2 +- powerauth-java-http/pom.xml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pom.xml b/pom.xml index 0b1ca263c..1f6f0df92 100644 --- a/pom.xml +++ b/pom.xml @@ -25,7 +25,7 @@ io.getlime.security powerauth-crypto-parent - 1.5.0 + 1.6.0-SNAPSHOT pom 2016 diff --git a/powerauth-java-crypto/pom.xml b/powerauth-java-crypto/pom.xml index e48b325d8..51abda4fa 100644 --- a/powerauth-java-crypto/pom.xml +++ b/powerauth-java-crypto/pom.xml @@ -26,7 +26,7 @@ io.getlime.security powerauth-crypto-parent - 1.5.0 + 1.6.0-SNAPSHOT diff --git a/powerauth-java-http/pom.xml b/powerauth-java-http/pom.xml index 8e30eb60a..609299918 100644 --- a/powerauth-java-http/pom.xml +++ b/powerauth-java-http/pom.xml @@ -28,7 +28,7 @@ io.getlime.security powerauth-crypto-parent - 1.5.0 + 1.6.0-SNAPSHOT From f05d136b19c7c2b7dac58de8b7c959f3371d56cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Dvo=C5=99=C3=A1k?= Date: Thu, 7 Sep 2023 12:00:11 +0200 Subject: [PATCH 02/15] Fix #526: Fix incorrect error codes for the header validators (#527) --- .../http/validator/PowerAuthSignatureHttpHeaderValidator.java | 4 ++-- .../http/validator/PowerAuthTokenHttpHeaderValidator.java | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/validator/PowerAuthSignatureHttpHeaderValidator.java b/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/validator/PowerAuthSignatureHttpHeaderValidator.java index 6f05be557..503d6ea9f 100644 --- a/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/validator/PowerAuthSignatureHttpHeaderValidator.java +++ b/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/validator/PowerAuthSignatureHttpHeaderValidator.java @@ -95,12 +95,12 @@ public static void validate(PowerAuthSignatureHttpHeader header) throws InvalidP // Check that version is present final String version = header.getVersion(); if (version == null || version.isEmpty()) { - throw new InvalidPowerAuthHttpHeaderException("POWER_AUTH_ENCRYPTION_VERSION_EMPTY"); + throw new InvalidPowerAuthHttpHeaderException("POWER_AUTH_SIGNATURE_VERSION_EMPTY"); } // Check that version is correct if (!ValueTypeValidator.isValidProtocolVersion(version)) { - throw new InvalidPowerAuthHttpHeaderException("POWER_AUTH_ENCRYPTION_VERSION_INVALID"); + throw new InvalidPowerAuthHttpHeaderException("POWER_AUTH_SIGNATURE_VERSION_INVALID"); } } diff --git a/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/validator/PowerAuthTokenHttpHeaderValidator.java b/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/validator/PowerAuthTokenHttpHeaderValidator.java index 322945e1d..7ec285807 100644 --- a/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/validator/PowerAuthTokenHttpHeaderValidator.java +++ b/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/validator/PowerAuthTokenHttpHeaderValidator.java @@ -84,12 +84,12 @@ public static void validate(PowerAuthTokenHttpHeader header) throws InvalidPower // Check that version is present final String version = header.getVersion(); if (version == null || version.isEmpty()) { - throw new InvalidPowerAuthHttpHeaderException("POWER_AUTH_ENCRYPTION_VERSION_EMPTY"); + throw new InvalidPowerAuthHttpHeaderException("POWER_AUTH_TOKEN_VERSION_EMPTY"); } // Check that version is correct if (!ValueTypeValidator.isValidProtocolVersion(version)) { - throw new InvalidPowerAuthHttpHeaderException("POWER_AUTH_ENCRYPTION_VERSION_INVALID"); + throw new InvalidPowerAuthHttpHeaderException("POWER_AUTH_TOKEN_VERSION_INVALID"); } } From 504c9a48a3318de8e46ddade350a125d98cad161 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Dvo=C5=99=C3=A1k?= Date: Thu, 7 Sep 2023 12:00:42 +0200 Subject: [PATCH 03/15] Fix #529: Fix typo in the error message (#530) Optimize imports --- .../crypto/client/activation/PowerAuthClientActivation.java | 2 -- .../powerauth/crypto/client/vault/PowerAuthClientVault.java | 1 - .../powerauth/crypto/lib/encryptor/EncryptorFactory.java | 2 +- .../powerauth/crypto/lib/encryptor/ecies/EciesEncryptor.java | 5 ++++- .../crypto/lib/encryptor/ecies/model/EciesCryptogram.java | 4 +++- .../crypto/lib/encryptor/ecies/model/EciesParameters.java | 4 +++- .../security/powerauth/crypto/lib/util/EciesUtils.java | 4 +--- .../crypto/server/activation/PowerAuthServerActivation.java | 1 - 8 files changed, 12 insertions(+), 11 deletions(-) diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/client/activation/PowerAuthClientActivation.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/client/activation/PowerAuthClientActivation.java index a3be5e8a6..3826b3f89 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/client/activation/PowerAuthClientActivation.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/client/activation/PowerAuthClientActivation.java @@ -28,10 +28,8 @@ import java.nio.charset.StandardCharsets; import java.security.InvalidKeyException; import java.security.KeyPair; -import java.security.PrivateKey; import java.security.PublicKey; import java.security.interfaces.ECPublicKey; -import java.security.spec.InvalidKeySpecException; import java.util.Arrays; import java.util.Base64; diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/client/vault/PowerAuthClientVault.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/client/vault/PowerAuthClientVault.java index f55c66baf..c35026df7 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/client/vault/PowerAuthClientVault.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/client/vault/PowerAuthClientVault.java @@ -16,7 +16,6 @@ */ package io.getlime.security.powerauth.crypto.client.vault; -import io.getlime.security.powerauth.crypto.lib.generator.KeyGenerator; import io.getlime.security.powerauth.crypto.lib.model.exception.CryptoProviderException; import io.getlime.security.powerauth.crypto.lib.model.exception.GenericCryptoException; import io.getlime.security.powerauth.crypto.lib.util.AESEncryptionUtils; diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/EncryptorFactory.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/EncryptorFactory.java index 85098a789..949deabe5 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/EncryptorFactory.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/EncryptorFactory.java @@ -22,9 +22,9 @@ import io.getlime.security.powerauth.crypto.lib.encryptor.ecies.ServerEciesEncryptor; import io.getlime.security.powerauth.crypto.lib.encryptor.exception.EncryptorException; import io.getlime.security.powerauth.crypto.lib.encryptor.model.EncryptorId; +import io.getlime.security.powerauth.crypto.lib.encryptor.model.EncryptorParameters; import io.getlime.security.powerauth.crypto.lib.encryptor.model.EncryptorScope; import io.getlime.security.powerauth.crypto.lib.encryptor.model.EncryptorSecrets; -import io.getlime.security.powerauth.crypto.lib.encryptor.model.EncryptorParameters; /** * The {@code EncryptorFactory} class provide high level encryptors for PowerAuth End-To-End encryption implementation. diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/EciesEncryptor.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/EciesEncryptor.java index d17d430a8..f1218bada 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/EciesEncryptor.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/EciesEncryptor.java @@ -23,7 +23,10 @@ import io.getlime.security.powerauth.crypto.lib.generator.KeyGenerator; import io.getlime.security.powerauth.crypto.lib.model.exception.CryptoProviderException; import io.getlime.security.powerauth.crypto.lib.model.exception.GenericCryptoException; -import io.getlime.security.powerauth.crypto.lib.util.*; +import io.getlime.security.powerauth.crypto.lib.util.AESEncryptionUtils; +import io.getlime.security.powerauth.crypto.lib.util.EciesUtils; +import io.getlime.security.powerauth.crypto.lib.util.HMACHashUtilities; +import io.getlime.security.powerauth.crypto.lib.util.KeyConvertor; import org.slf4j.Logger; import org.slf4j.LoggerFactory; diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/model/EciesCryptogram.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/model/EciesCryptogram.java index a38d37125..d29eba2df 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/model/EciesCryptogram.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/model/EciesCryptogram.java @@ -16,7 +16,9 @@ */ package io.getlime.security.powerauth.crypto.lib.encryptor.ecies.model; -import lombok.*; +import lombok.AllArgsConstructor; +import lombok.Builder; +import lombok.Value; /** * The EciesCryptogram structure represents cryptogram transmitted over the network. diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/model/EciesParameters.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/model/EciesParameters.java index e6ee3fe30..e5d7d37dc 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/model/EciesParameters.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/encryptor/ecies/model/EciesParameters.java @@ -16,7 +16,9 @@ */ package io.getlime.security.powerauth.crypto.lib.encryptor.ecies.model; -import lombok.*; +import lombok.AllArgsConstructor; +import lombok.Builder; +import lombok.Value; /** * The EciesParameters structure represents additional ECIES parameters transmitted over the network. diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/EciesUtils.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/EciesUtils.java index 1cd3120cc..d1087cca3 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/EciesUtils.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/EciesUtils.java @@ -18,8 +18,6 @@ import io.getlime.security.powerauth.crypto.lib.encryptor.ecies.exception.EciesException; import io.getlime.security.powerauth.crypto.lib.encryptor.model.EncryptorScope; -import io.getlime.security.powerauth.crypto.lib.model.exception.CryptoProviderException; -import io.getlime.security.powerauth.crypto.lib.model.exception.GenericCryptoException; import java.nio.ByteBuffer; import java.nio.charset.StandardCharsets; @@ -137,7 +135,7 @@ public static byte[] deriveSharedInfo2(String protocolVersion, byte[] sharedInfo throw new EciesException("Missing nonce parameter"); } if (timestamp == null) { - throw new EciesException("Missing nonce parameter"); + throw new EciesException("Missing timestamp parameter"); } if (associatedData == null) { throw new EciesException("Missing associatedData parameter"); diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/server/activation/PowerAuthServerActivation.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/server/activation/PowerAuthServerActivation.java index ebd75f0b1..9c99d0a34 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/server/activation/PowerAuthServerActivation.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/server/activation/PowerAuthServerActivation.java @@ -34,7 +34,6 @@ import java.security.PrivateKey; import java.security.PublicKey; import java.security.interfaces.ECPublicKey; -import java.security.spec.InvalidKeySpecException; import java.util.Arrays; import java.util.Base64; From b3262905bdb6df86e0d2c75ca96bb77d41f12a83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Dvo=C5=99=C3=A1k?= Date: Thu, 7 Sep 2023 14:32:58 +0200 Subject: [PATCH 04/15] Fix #524: Include version in the token digest (#525) * Fix #524: Include version in the token digest * Include version decision making in the library * Improve the switch-case block a bit --- .../client/token/ClientTokenGenerator.java | 5 +++-- .../powerauth/crypto/lib/util/TokenUtils.java | 17 ++++++++++++----- .../server/token/ServerTokenVerifier.java | 5 +++-- 3 files changed, 18 insertions(+), 9 deletions(-) diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/client/token/ClientTokenGenerator.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/client/token/ClientTokenGenerator.java index a2227f6ed..581cbc031 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/client/token/ClientTokenGenerator.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/client/token/ClientTokenGenerator.java @@ -55,13 +55,14 @@ public byte[] generateTokenTimestamp() { * * @param nonce Token nonce, 16 random bytes. * @param timestamp Token timestamp, Unix timestamp format encoded as bytes (from string representation). + * @param version Protocol version. * @param tokenSecret Token secret, 16 random bytes. * @return Token digest computed using provided data bytes with given token secret. * @throws GenericCryptoException In case digest computation fails. * @throws CryptoProviderException In case cryptography provider is incorrectly initialized. */ - public byte[] computeTokenDigest(byte[] nonce, byte[] timestamp, byte[] tokenSecret) throws GenericCryptoException, CryptoProviderException { - return tokenUtils.computeTokenDigest(nonce, timestamp, tokenSecret); + public byte[] computeTokenDigest(byte[] nonce, byte[] timestamp, String version, byte[] tokenSecret) throws GenericCryptoException, CryptoProviderException { + return tokenUtils.computeTokenDigest(nonce, timestamp, version, tokenSecret); } } diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/TokenUtils.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/TokenUtils.java index 9e53650a4..897f921fc 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/TokenUtils.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/TokenUtils.java @@ -92,14 +92,20 @@ public byte[] convertTokenTimestamp(long timestamp) { * Compute the digest of provided token information using given token secret. * @param nonce Token nonce, 16 random bytes. * @param timestamp Token timestamp, Unix timestamp format encoded as bytes (string representation). + * @param version Protocol version. * @param tokenSecret Token secret, 16 random bytes. * @return Token digest computed using provided data bytes with given token secret. * @throws GenericCryptoException In case digest computation fails. * @throws CryptoProviderException In case cryptography provider is incorrectly initialized. */ - public byte[] computeTokenDigest(byte[] nonce, byte[] timestamp, byte[] tokenSecret) throws GenericCryptoException, CryptoProviderException { - byte[] amp = "&".getBytes(StandardCharsets.UTF_8); - byte[] data = ByteUtils.concat(nonce, amp, timestamp); + public byte[] computeTokenDigest(byte[] nonce, byte[] timestamp, String version, byte[] tokenSecret) throws GenericCryptoException, CryptoProviderException { + final byte[] amp = "&".getBytes(StandardCharsets.UTF_8); + final byte[] data; + switch (version) { + case "3.2" -> data = ByteUtils.concat(nonce, amp, timestamp, amp, version.getBytes(StandardCharsets.UTF_8)); + case "3.0", "3.1" -> data = ByteUtils.concat(nonce, amp, timestamp); + default -> throw new GenericCryptoException("Unsupported version value was specified: " + version); + } return hmac.hash(tokenSecret, data); } @@ -107,14 +113,15 @@ public byte[] computeTokenDigest(byte[] nonce, byte[] timestamp, byte[] tokenSec * Validate provided token digest for given input data and provided token secret. * @param nonce Token nonce, 16 random bytes. * @param timestamp Token timestamp, Unix timestamp format encoded as bytes (string representation). + * @param version Protocol version. * @param tokenSecret Token secret, 16 random bytes. * @param tokenDigest Token digest, 32 bytes to be validated. * @return Token digest computed using provided data bytes with given token secret. * @throws GenericCryptoException In case digest computation fails. * @throws CryptoProviderException In case cryptography provider is incorrectly initialized. */ - public boolean validateTokenDigest(byte[] nonce, byte[] timestamp, byte[] tokenSecret, byte[] tokenDigest) throws GenericCryptoException, CryptoProviderException { - return SideChannelUtils.constantTimeAreEqual(computeTokenDigest(nonce, timestamp, tokenSecret), tokenDigest); + public boolean validateTokenDigest(byte[] nonce, byte[] timestamp, String version, byte[] tokenSecret, byte[] tokenDigest) throws GenericCryptoException, CryptoProviderException { + return SideChannelUtils.constantTimeAreEqual(computeTokenDigest(nonce, timestamp, version, tokenSecret), tokenDigest); } } diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/server/token/ServerTokenVerifier.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/server/token/ServerTokenVerifier.java index 45c2187b0..5e65f9981 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/server/token/ServerTokenVerifier.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/server/token/ServerTokenVerifier.java @@ -44,14 +44,15 @@ public byte[] convertTokenTimestamp(long timestamp) { * Validate provided token digest for given input data and provided token secret. * @param nonce Token nonce, 16 random bytes. * @param timestamp Token timestamp, Unix timestamp format encoded as bytes (from string representation). + * @param version Protocol version. * @param tokenSecret Token secret, 16 random bytes. * @param tokenDigest Token digest, 32 bytes to be validated. * @return Token digest computed using provided data bytes with given token secret. * @throws GenericCryptoException In case digest computation fails. * @throws CryptoProviderException In case cryptography provider is incorrectly initialized. */ - public boolean validateTokenDigest(byte[] nonce, byte[] timestamp, byte[] tokenSecret, byte[] tokenDigest) throws GenericCryptoException, CryptoProviderException { - return tokenUtils.validateTokenDigest(nonce, timestamp, tokenSecret, tokenDigest); + public boolean validateTokenDigest(byte[] nonce, byte[] timestamp, String version, byte[] tokenSecret, byte[] tokenDigest) throws GenericCryptoException, CryptoProviderException { + return tokenUtils.validateTokenDigest(nonce, timestamp, version, tokenSecret, tokenDigest); } } From 40ccbd0b9713352ec6cffb7bea07d5e7820c7afe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Sep 2023 05:57:08 +0000 Subject: [PATCH 05/15] Bump org.projectlombok:lombok from 1.18.28 to 1.18.30 Bumps [org.projectlombok:lombok](https://github.com/projectlombok/lombok) from 1.18.28 to 1.18.30. - [Changelog](https://github.com/projectlombok/lombok/blob/master/doc/changelog.markdown) - [Commits](https://github.com/projectlombok/lombok/compare/v1.18.28...v1.18.30) --- updated-dependencies: - dependency-name: org.projectlombok:lombok dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- powerauth-java-crypto/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/powerauth-java-crypto/pom.xml b/powerauth-java-crypto/pom.xml index 51abda4fa..3534babba 100644 --- a/powerauth-java-crypto/pom.xml +++ b/powerauth-java-crypto/pom.xml @@ -69,7 +69,7 @@ org.projectlombok lombok - 1.18.28 + 1.18.30 provided From 712613ba1d5d8bf4cc286b15b194f2be67db93b0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Oct 2023 05:55:39 +0000 Subject: [PATCH 06/15] Bump org.apache.maven.plugins:maven-surefire-plugin from 3.1.2 to 3.2.1 Bumps [org.apache.maven.plugins:maven-surefire-plugin](https://github.com/apache/maven-surefire) from 3.1.2 to 3.2.1. - [Release notes](https://github.com/apache/maven-surefire/releases) - [Commits](https://github.com/apache/maven-surefire/compare/surefire-3.1.2...surefire-3.2.1) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-surefire-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 574b4dab7..38d243979 100644 --- a/pom.xml +++ b/pom.xml @@ -77,7 +77,7 @@ 3.1.1 3.5.0 3.3.0 - 3.1.2 + 3.2.1 32.1.2-jre 2.0.9 5.9.2 From 2a68cce49ae198d6eb466d614fd5a0191d7ea4d1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Nov 2023 05:17:02 +0000 Subject: [PATCH 07/15] Bump org.apache.maven.plugins:maven-surefire-plugin from 3.2.1 to 3.2.2 Bumps [org.apache.maven.plugins:maven-surefire-plugin](https://github.com/apache/maven-surefire) from 3.2.1 to 3.2.2. - [Release notes](https://github.com/apache/maven-surefire/releases) - [Commits](https://github.com/apache/maven-surefire/compare/surefire-3.2.1...surefire-3.2.2) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-surefire-plugin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 38d243979..ec8e38984 100644 --- a/pom.xml +++ b/pom.xml @@ -77,7 +77,7 @@ 3.1.1 3.5.0 3.3.0 - 3.2.1 + 3.2.2 32.1.2-jre 2.0.9 5.9.2 From 166aeb9db68acb4fad1083886478874aac69b832 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Nov 2023 05:17:07 +0000 Subject: [PATCH 08/15] Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.5.0 to 3.6.2 Bumps [org.apache.maven.plugins:maven-javadoc-plugin](https://github.com/apache/maven-javadoc-plugin) from 3.5.0 to 3.6.2. - [Release notes](https://github.com/apache/maven-javadoc-plugin/releases) - [Commits](https://github.com/apache/maven-javadoc-plugin/compare/maven-javadoc-plugin-3.5.0...maven-javadoc-plugin-3.6.2) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-javadoc-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 38d243979..0ff587508 100644 --- a/pom.xml +++ b/pom.xml @@ -75,7 +75,7 @@ 17 3.3.0 3.1.1 - 3.5.0 + 3.6.2 3.3.0 3.2.1 32.1.2-jre From 379db55393cd7f0273cf62592212921f3a226844 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 20 Nov 2023 05:15:18 +0000 Subject: [PATCH 09/15] Bump org.bouncycastle:bcprov-jdk18on from 1.76 to 1.77 Bumps [org.bouncycastle:bcprov-jdk18on](https://github.com/bcgit/bc-java) from 1.76 to 1.77. - [Changelog](https://github.com/bcgit/bc-java/blob/main/docs/releasenotes.html) - [Commits](https://github.com/bcgit/bc-java/commits) --- updated-dependencies: - dependency-name: org.bouncycastle:bcprov-jdk18on dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- powerauth-java-crypto/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/powerauth-java-crypto/pom.xml b/powerauth-java-crypto/pom.xml index 3534babba..bb3875b4c 100644 --- a/powerauth-java-crypto/pom.xml +++ b/powerauth-java-crypto/pom.xml @@ -63,7 +63,7 @@ org.bouncycastle bcprov-jdk18on - 1.76 + 1.77 provided From c17d862f60d46672db394dad776066c33e0af3dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Dvo=C5=99=C3=A1k?= Date: Thu, 23 Nov 2023 21:06:49 +0100 Subject: [PATCH 10/15] Fix #539: Improve documentation of MAC token signatures (#540) * Fix #539: Improve documentation of MAC token signatures * Fix a typo --- docs/MAC-Token-Based-Authentication.md | 57 ++++++++++++++------------ 1 file changed, 31 insertions(+), 26 deletions(-) diff --git a/docs/MAC-Token-Based-Authentication.md b/docs/MAC-Token-Based-Authentication.md index 468f8a17f..5d0c5fda4 100644 --- a/docs/MAC-Token-Based-Authentication.md +++ b/docs/MAC-Token-Based-Authentication.md @@ -1,35 +1,39 @@ # MAC Token Based Authentication -While standard PowerAuth signatures are suitable for requests where high degree of authenticity and integrity is required, for high volume common access requests, the strong sequentiality caused by use of a counter might be too restricting. Signed requests must be sent one by one, and a request needs to wait for the previous one to complete. This causes both data processing to be slow and the programming task related to request synchronization to be unnecessarily difficult. +While standard PowerAuth signatures are suitable for requests where a high degree of authenticity and integrity is required, for high-volume common access requests, the strong sequentiality caused by the use of a counter might be too restricting. Signed requests must be sent one by one, and a request needs to wait for the previous one to complete. This causes both data processing to be slow and the programming task related to request synchronization to be unnecessarily difficult. -This is why PowerAuth also supports a simplified MAC Token Based Authentication. As the name suggests, the authentication is achieved by computing a MAC / digest of a pre-shared token. +This is why PowerAuth also supports simplified MAC Token-Based Authentication. As the name suggests, the authentication is achieved by computing a MAC (also called a "digest") using a pre-shared token. ## Security Considerations -There are couple very important things you need to keep in mind while using MAC Token Based Authentication in your APIs: +There are a couple of very important things to keep in mind while using MAC Token-Based Authentication in your APIs: - **Data Integrity** - Since the resulting digest does not include any request data, it does not prevent data from being modified. -- **Replay Attack** - By default, there is no replay attack protection when validating the tokens. You need to implement your own replay attack protection in case you need it, for example by storing already used values of `timestamp` and `nonce` for given `token_id` and disallowing repeated values in certain time window. -- **Single Factor** - While the token has an information about the factors used while the token was created, which is handy while distinguishing different grades of information (for example, some more sensitive info may require token that was created using 2FA), the authentication as such uses only a single factor. It does not include PIN/password or biometric information at all. +- **Single Factor** - While the token has information about the factors used while the token was created, which is handy while distinguishing different grades of information (for example, some more sensitive info may require a token that was created using 2FA), the authentication as such uses only a single factor. It does not include PIN/password or biometric information at all. -As a result, you must use MAC Token Based Authentication for read-only operations only. In other words, use the MAC Token Based Authentication to access resources, not to create or modify them. Use 1FA PowerAuth signature for active operations that create or modify resources. This way, you avoid having repeated or inconsistent data, while allowing access to information that needs to be frequently accessed. +As a result, you must use MAC Token-Based Authentication for read-only operations only. In other words, use the MAC Token-Based Authentication to access resources, not to create or modify them. We recommend using the 1FA PowerAuth signature for active operations that create or modify resources but do not require user's interaction. This way, you avoid having repeated or inconsistent data while allowing access to information that needs to be frequently accessed. Examples: -- MAC Token Based Authentication: Accessing simple information about the account, such as account name, balance of the account and last three transactions, from Apple Watch. -- PowerAuth 1FA Signature: Creating a quick small value payment from an iPhone app. +**MAC Token-Based Authentication** + +Accessing simple information about the account, such as account name, balance of the account, and last three transactions, from Apple Watch. + +**PowerAuth 1FA Signature** + +Creating a quick, low-value payment from an iPhone app. ## Creating a Token In order to create a new token, the client application must call a PowerAuth Standard RESTful API endpoint `/pa/v3/token/create`. -This endpoint must be called with a standard PowerAuth signature. It can be any type of a signature - 1FA, 2FA or 3FA. The token then implicitly carries the information about the signature it was issued with. Using the PowerAuth signature assures authenticity and integrity of the request data. +This endpoint must be called with a standard PowerAuth signature. It can be any type of signature - 1FA or 2FA. The token then implicitly carries the information about the signature it was issued with. Using the PowerAuth signature assures the authenticity and integrity of the data sent during the request. The endpoint then uses the same request and response encryption principles as described in a dedicated chapter for [End-to-End Encryption](./End-To-End-Encryption.md). -Upon receiving and successfully validating a request authenticated using PowerAuth signature, server generates a new token for given activation ID. Information about used signature type and factors are stored with the token. Then, the server takes the token ID and secret and sends them in an ECIES encrypted response to the client. +Upon receiving and successfully validating a request authenticated using a PowerAuth signature, the server generates a new token for a given activation ID. Information about the used signature type and factors are stored with the token. Then, the server takes the token ID and secret and sends them in an ECIES encrypted response to the client. -The decrypted response data payload contains following raw response format: +The decrypted response data payload contains the following raw response format: ```json { @@ -38,29 +42,30 @@ The decrypted response data payload contains following raw response format: } ``` -The `tokenId` value is in UUID level 4 format and it uniquely identifies the token in the system and is sent with every request that requires MAC token based authentication. The `token_secret` value is random 16B value encoded as Base64, it is stored on the device and used as a secret key for computing the MAC later. +The `tokenId` value is in UUID level 4 format, and it uniquely identifies the token in the system and is sent with every request that requires MAC token-based authentication. The `token_secret` value is a random 16B value encoded as Base64. It is stored on the device and used as a secret key for computing the MAC later. -Client stores both `token_id` and `token_secret` in a suitable local storage (iOS Keychain, Android Shared Preferences). +The client stores both `token_id` and `token_secret` in a suitable local storage (iOS Keychain, encrypted Shared Preferences). ## Using the Tokens -When using MAC Token Based Authentication, the authentication of the RESTful API calls is achieved by computing a `token_digest` digest value on a client side that can be later validated on the server side. The algorithms for calculation and verification of the digest are in principle the same. +When using MAC Token-Based Authentication, the authentication of the RESTful API calls is achieved by computing a `token_digest` digest value on the client side that can be later validated on the server side. The algorithms for calculation and verification of the digest are, in principle, the same. -The `token_digest` value is computed using a following algorithm: +The `token_digest` value is computed using the following algorithm: ```java -// '$timestamp' is a unix timestamp in milliseconds (to achieve required time -// precision) converted to string and then to byte[] using UTF-8 +// '$timestamp' is a Unix timestamp in milliseconds (to achieve the required time +// precision) converted to a string and then to byte[] using UTF-8 // encoding +// '$version' is the protocol version, represented as UTF-8 bytes of the version string long timestamp = Time.getTimestamp(); byte[] timestamp_bytes = ByteUtils.encode(String.valueOf(timestamp)); // '$nonce' value is 16B of random data byte[] nonce = Generator.randomBytes(16); -// '$nonce' is concatenated to '$timestamp' using '&' character: -// $nonce + '&' + $timestamp -byte[] data = ByteUtils.concat(nonce, ByteUtils.encode("&"), timestamp_bytes); +// '$nonce' is concatenated to '$timestamp' and '$version' using '&' character: +// $nonce + '&' + $timestamp + '&' + $version +byte[] data = ByteUtils.concat(nonce, ByteUtils.encode("&"), timestamp_bytes, ByteUtils.encode("&"), version); // 'token_secret' is 16B of random data SecretKey key = KeyConversion.secretKeyFromBytes(token_secret); @@ -69,7 +74,7 @@ SecretKey key = KeyConversion.secretKeyFromBytes(token_secret); byte[] token_digest = Mac.hmacSha256(key, data) ``` -In order to use the token authentication with the RESTful API call, you need to set following HTTP header to the request: +In order to use the token authentication with the RESTful API call, you need to set the following HTTP header to the request: ``` X-PowerAuth-Token: PowerAuth token_id="${TOKEN_ID}" @@ -82,14 +87,14 @@ X-PowerAuth-Token: PowerAuth token_id="${TOKEN_ID}" Transport representation of the HTTP header properties is following: - `token_id` - Identifier of the token, as is - UUID level 4. -- `token_digest` - Digest value computed using `token_secret`, `nonce` and `timestamp`, Base64 encoded. +- `token_digest` - Digest value computed using `token_secret`, `nonce`, and `timestamp`, Base64 encoded. - `nonce` - Random cryptographic nonce, 16B long, Base64 encoded. -- `timestamp` - Current timestamp in a Unix timestamp format (in milliseconds, to achieve required time precision), represented as string value. +- `timestamp` - Current timestamp in a Unix timestamp format (in milliseconds, to achieve required time precision), represented as a string value. - `version` - Protocol version. ## Token Removal -You can remove a token with given ID anytime by sending a signed request to the PowerAuth Standard RESTful API endpoint `/pa/v3/token/remove`: +You can remove a token with a given ID anytime by sending a signed request to the PowerAuth Standard RESTful API endpoint `/pa/v3/token/remove`: ```json { @@ -99,9 +104,9 @@ You can remove a token with given ID anytime by sending a signed request to the } ``` -You can use any signature type to authenticate the token removal request. All signature types are allowed because the tokens are mostly used for a simplified access. Allowing user to restrict the access again should be simple, as long as there is at least some authentication that would prevent removing token to the malicious party (causing DoS to the legitimate user). +You can use any signature type to authenticate the token removal request. All signature types are allowed because the tokens are mostly used for simplified access. Allowing the user to restrict the access again should be simple, as long as there is at least some authentication that would prevent removing token to the malicious party (causing DoS to the legitimate user). -In case the signature validation is successful and after validating that the token is associated with the activation used for computing the signature, the token is removed on the server side. The response object only confirms the removal and the payload is typically ignored in the PowerAuth Mobile SDK: +If the signature validation is successful and after validating that the token is associated with the activation used for computing the signature, the token is removed on the server side. The response object only confirms the removal and the payload is typically ignored in the PowerAuth Mobile SDK: ```json { From 6b1553ba7da7a48e871ca9b49b59202505034937 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Dec 2023 05:59:06 +0000 Subject: [PATCH 11/15] Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.6.2 to 3.6.3 Bumps [org.apache.maven.plugins:maven-javadoc-plugin](https://github.com/apache/maven-javadoc-plugin) from 3.6.2 to 3.6.3. - [Release notes](https://github.com/apache/maven-javadoc-plugin/releases) - [Commits](https://github.com/apache/maven-javadoc-plugin/compare/maven-javadoc-plugin-3.6.2...maven-javadoc-plugin-3.6.3) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-javadoc-plugin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 83a48a2d9..1581af800 100644 --- a/pom.xml +++ b/pom.xml @@ -75,7 +75,7 @@ 17 3.3.0 3.1.1 - 3.6.2 + 3.6.3 3.3.0 3.2.2 32.1.2-jre From e9421ca92d327659f5ed7cb677c03812e351df12 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 Dec 2023 05:47:01 +0000 Subject: [PATCH 12/15] Bump com.google.guava:guava from 32.1.2-jre to 32.1.3-jre Bumps [com.google.guava:guava](https://github.com/google/guava) from 32.1.2-jre to 32.1.3-jre. - [Release notes](https://github.com/google/guava/releases) - [Commits](https://github.com/google/guava/commits) --- updated-dependencies: - dependency-name: com.google.guava:guava dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 1581af800..7ae722f6a 100644 --- a/pom.xml +++ b/pom.xml @@ -78,7 +78,7 @@ 3.6.3 3.3.0 3.2.2 - 32.1.2-jre + 32.1.3-jre 2.0.9 5.9.2 From 6a62bf2b81582ced495b63d6a3e136943bd24795 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 Dec 2023 05:47:03 +0000 Subject: [PATCH 13/15] Bump com.fasterxml.jackson.core:jackson-databind from 2.15.1 to 2.16.0 Bumps [com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson) from 2.15.1 to 2.16.0. - [Commits](https://github.com/FasterXML/jackson/commits) --- updated-dependencies: - dependency-name: com.fasterxml.jackson.core:jackson-databind dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- powerauth-java-crypto/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/powerauth-java-crypto/pom.xml b/powerauth-java-crypto/pom.xml index bb3875b4c..571915eb1 100644 --- a/powerauth-java-crypto/pom.xml +++ b/powerauth-java-crypto/pom.xml @@ -51,7 +51,7 @@ com.fasterxml.jackson.core jackson-databind - 2.15.1 + 2.16.0 test From de8a15ad3264551e930e0715bf2516335da05e6d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 Dec 2023 05:47:11 +0000 Subject: [PATCH 14/15] Bump junit.version from 5.9.2 to 5.10.1 Bumps `junit.version` from 5.9.2 to 5.10.1. Updates `org.junit.jupiter:junit-jupiter-engine` from 5.9.2 to 5.10.1 - [Release notes](https://github.com/junit-team/junit5/releases) - [Commits](https://github.com/junit-team/junit5/compare/r5.9.2...r5.10.1) Updates `org.junit.jupiter:junit-jupiter-params` from 5.9.2 to 5.10.1 - [Release notes](https://github.com/junit-team/junit5/releases) - [Commits](https://github.com/junit-team/junit5/compare/r5.9.2...r5.10.1) --- updated-dependencies: - dependency-name: org.junit.jupiter:junit-jupiter-engine dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: org.junit.jupiter:junit-jupiter-params dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 1581af800..ef78dccdc 100644 --- a/pom.xml +++ b/pom.xml @@ -80,7 +80,7 @@ 3.2.2 32.1.2-jre 2.0.9 - 5.9.2 + 5.10.1 From cf723e6cfbc8298d0c1bf999462e600f765733dc Mon Sep 17 00:00:00 2001 From: Lubos Racansky Date: Tue, 12 Dec 2023 08:43:30 +0100 Subject: [PATCH 15/15] Fix #560: Set release version to 1.6.0 --- pom.xml | 2 +- powerauth-java-crypto/pom.xml | 2 +- powerauth-java-http/pom.xml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pom.xml b/pom.xml index 6b1479228..fc05972ce 100644 --- a/pom.xml +++ b/pom.xml @@ -25,7 +25,7 @@ io.getlime.security powerauth-crypto-parent - 1.6.0-SNAPSHOT + 1.6.0 pom 2016 diff --git a/powerauth-java-crypto/pom.xml b/powerauth-java-crypto/pom.xml index 571915eb1..2c4be7391 100644 --- a/powerauth-java-crypto/pom.xml +++ b/powerauth-java-crypto/pom.xml @@ -26,7 +26,7 @@ io.getlime.security powerauth-crypto-parent - 1.6.0-SNAPSHOT + 1.6.0 diff --git a/powerauth-java-http/pom.xml b/powerauth-java-http/pom.xml index 609299918..abd76bead 100644 --- a/powerauth-java-http/pom.xml +++ b/powerauth-java-http/pom.xml @@ -28,7 +28,7 @@ io.getlime.security powerauth-crypto-parent - 1.6.0-SNAPSHOT + 1.6.0